REvil Ransomware attack on Kaseya VSA for Dummies
On July 2, while many businesses had staff either already off or preparing for a long holiday weekend, there has been news surfacing throughout the day of a large ransomware attack by REvil . Affecting hundreds of organisations (~ 800- 1500) and millions of systems through software supply chain attack using Kaseya’s VSA (a remote monitoring and management tool (RMM)) software which is used by many managed service providers (MSPs). It was a perfect timing for the attackers as many companies would have bare minimum support staff during the long weekend.
Confused with too many complex terms like Ransomware, MSP, RMM, Supply chain attack? Let me explain these in simple words before I share more details about what exactly happened.
- REvil — REvil (Ransomware Evil; also known as Sodinokibi) is a private ransomware-as-a-service (RaaS) operation.
- Ransomware — Ransom malware or ransomware, is a type of malware that encrypts user or organisations critical data, prevents users or organisations from accessing their data, and demands a ransom payment in order to restore access.
- Ransomware as a Service (RaaS) — RaaS is another subscription-based model similar to the * as a Service (SaaS, PaaS, IaaS, etc) model that enables affiliates to use already developed ransomware to execute ransomware attacks on their victims by paying some fee to the ransomware tool creator.
- Managed Service Provider (MSP) — A managed service provider is an IT service company that remotely manages a customer’s IT infrastructure under a subscription model. MSP is responsible for managing and maintaining enterprise networks, service desk, patch management, remote monitoring and management (RMM), etc, so that these enterprises will be able to focus on improving their services without worrying about breakdowns or interruptions.
- Supply chain attack — A supply chain is a network between a company and its suppliers to produce and distribute a specific product to the final buyer. A supply chain attack is a cyber-attack that seeks to damage an organisation by targeting less-secure elements in the supply chain. For example, a grocery shop contracting a third-party IT service company to develop an online portal for their customers. An attacker can target the software developed by this service company and include some malicious code to target customers of the grocery store.
- Zero-day attack — An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack. A zero-day attack takes place when hackers exploit the flaw in software before developers or organisations have a chance to address it. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers, or a network.
- Kaseya — Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure for managed service providers (MSPs) and small to medium-sized businesses (SMBs).
- Kaseya VSA — Kaseya Virtual Service Administrator is a remote monitoring and management (RMM) tool offering remote monitoring and management for all IT functions integrated into a single console. VSA tool Proactively resolves IT incidents and automates common IT processes, including software deployment, patch management, antivirus and anti-malware (AV/AM) deployment, and routine maintenance.
What happened?
REvil exploited a zero-day vulnerability in Kaseya VSA software allowing the attackers to deploy the malware remotely on Windows devices running the VSA agent application. They launched a malicious agent update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform. This exploit gave them privileged access to VSA servers, which they then used to deploy REvil ransomware across multiple managed service providers that use the Kaseya VSA software and demand $45K USD to restore the files from a single infected device, or $70 million USD paid in Bitcoin for a universal decryptor to unlock all affected systems.
This ransomware used a trusted channel and leveraged trust in the VSA agent code with anti-malware software. The first step executed by the malware was to deploy a base64-encoded file to Kaseya’s working directory, which was probably ignored by anti-virus engines due to its trust relationship with the VSA agent (Kaseya requires this trust relationship for set-up for its application and agent “working” folders). Once the encoded file was deployed, the attacker executed a set of shell commands remotely to decode and execute the payload, as well as to disable the anti-malware protection (Windows Defender in this case). After that malware payload dropped the msmpeng.exe file (which is an outdated version of Microsoft’s anti-malware service that is vulnerable to a technique known as DLL Hijacking) and mpsvc.dll file.
mpsvs.dll is then loaded by msmpeng.exe through the DLL Hijacking technique and loads into its own memory space. Once executed, ransomware loads and executes a small shellcode, which is responsible for unpacking and executing the final payload, which contains an encrypted configuration within the binary and begins to encrypt the local disk, connected removable drives, and mapped network drives. As this action is initiated from a Microsoft signed application that security controls typically trust and allow to run unhindered.
DLL Hijacking — DLL hijacking is an attack that exploits the Windows search and load algorithm, allowing an attacker to inject malicious code into an application. In simple terms, if an attacker can get a file on your machine (mspvc.dll) that file could be executed when the user runs an application that is vulnerable to DLL Hijacking (msmpeng.exe).
Why it happened?
Attackers found and leveraged an unpatched zero-day vulnerability in Kaseya’s VSA software. At this point it is still not clear what was the actual issue is and how the exploit may work, however Kaseya released a security patch on 11th July which has fix for three vulnerabilities. CVE-2021–30116 — A credentials leak and business logic flaw, CVE-2021–30119 — A cross-site scripting (CSS) vulnerability and CVE-2021–30120 — A bypass of two-factor authentication (2FA). These vulnerability was discovered and reported to Kaseya by a researcher of the Dutch Institute for Vulnerability Disclosure (DIVD). A patch was being actively worked on by Kaseya according to the DIVD, but looks like threat actors knew they were racing against the development of a patch and launched the attack before the patch release.
Best practices to protect against ransomware attack
A Supply chain attack is one of the difficult attacks to prevent due to implicit trust with the supplier. However, organisations can consider the following recommendations to limit the impact of similar ransomware attacks:
- Monitor all critical systems and services. Setup a “critical alert” notification for any anomalous modification of security settings or configurations, such as those observed with windows defender in this case.
- Continuously monitor endpoint security events as an early warning of suspicious behaviour like mass file encryption or exfiltration.
- Think like the attacker,” and implement least-privilege access to corporate resources as well as strong endpoint visibility and detection tools.
- Implement Zero-trust architecture — One of the most effective ways to prevent ransomware attacks is through the adoption of zero-trust architecture. Built on the principle ‘never trust, always verify,’ a zero-trust security strategy is helpful in preventing ransomware attacks. There should be no such thing as a trusted partner, nor a trusted employee, nor a trusted device. Access to resources should be on a dynamically controlled, least-privilege basis.
- Create allow and deny lists to prevent the execution of unauthorised or unknown executables.
- Regular review and dry run of disaster recovery plans
- Regular data backups and verification of data integrity and offline storage to facilitate restoration in the event of events like these
- Use network segregation to limit the propagation of threats.
👋 Join us today !!
If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇
